GHSA-wc36-xgcc-jwpr

Source

https://github.com/advisories/GHSA-wc36-xgcc-jwpr

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-wc36-xgcc-jwpr/GHSA-wc36-xgcc-jwpr.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-wc36-xgcc-jwpr

Aliases

RUSTSEC-2022-0009

Published

2022-06-17T00:01:02Z

Modified

2023-11-08T04:23:45.241320Z

Summary

Failure to verify the public key of a `SignedEnvelope` against the `PeerId` in a `PeerRecord`

Details

Affected versions of this crate did not check that the public key the signature was created with matches the peer ID of the peer record. Any combination was considered valid.

This allows an attacker to republish an existing PeerRecord with a different PeerId.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-17T00:01:02Z"
}

References

Affected packages

crates.io / libp2p-core

Package

Name: libp2p-core; View open source insights on deps.dev
Purl: pkg:cargo/libp2p-core

Affected ranges

Type: SEMVER
Events: Introduced

0.30.0-rc.1

Fixed

0.30.2

Ecosystem specific

{
    "affected_functions": [
        "libp2p_core::PeerRecord::from_signed_envelope"
    ]
}